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earned patent term adjustment. See 37 CFR 1.704(b). 
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2a)\Z\ This action is FINAL. 2b)^ Tills action is non-final. 

3) 0 Since this application is in condition for allowance except for formal nnatters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 1 1 , 453 O.G. 213. 
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4) ^ Claim(s) 1-19 is/are pending in the application. 
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5) n Claim(s) is/are allowed. 

6) S Claim(s) 1-19 is/are rejected. 

7) n Claim(s) is/are objected to. 
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DETAILED ACTION 



Claim Rejections • 35 USC § 102 

1 . The following is a quotation of the appropriate paragraphs of 35 U.S.C. 1 02 that 
form the basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(b) the invention was patented or described in a printed publication in this or a foreign country or in public 
use or on sale in this country, more than one year prior to the date of application for patent in the United 
States. 

2. Claims 1-19 are rejected under 35 U.S.C. 102(b) as being anticipated by 
Nachenberg (US pat 5,826,01 3). 

Regarding claim 1 , Nachenberg teaches a method of detecting a computer virus 
that attempts to gain access to restricted computer system resources, comprising: 
emulating computer executable code in a subject file (col.6 lines 45-48); and 
monitoring the emulation of the computer executable code and monitoring a 
memory state of the computer system for modifications caused by the emulated 
instructions in the computer executable code, to detect an attempt by the emulated 
code to access one or more of the restricted computer system resources (col.6 line 54 
thru col.7 line 8; col. 12 line 64 thru col. 13 line 10). 
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Regarding claim 2, Nachenberg teaches monitoring the emulation includes 
detecting installation of a new exception handler followed by forcing of a corresponding 
exception. 

Regarding claim 5, Nachenberg teaches monitoring the emulation includes 
detecting installation of a new interrupt handler followed by forcing of a corresponding 
interrupt (col.3 lines 37-46; col.4 lines 24-31). 

Regarding claim 6, Nachenberg teaches monitoring the emulation includes 
detecting writing of a new pointer to at least one predetermined address in system 
memory for storing an interrupt handler pointer (col.3 lines 54-59; col. 12 line 64 thru 
col.13 line 10). 

Regarding claim 7, Nachenberg teaches monitoring the emulation includes 
detecting use of a predetermined instruction to retrieve an address in system memory 
corresponding to an interrupt descriptor table (col.9 lines 24-32; col.1 1 lines 23-28). 

Claim 8 is a program storage device claim that is substantially equivalent to 
method claim 1 , therefore claim 8 is rejected for the same reasons. 

Claim 9 is a system claim that is substantially equivalent to method claim 1 , 
therefore claim 9 is rejected for the same reasons. 
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Regarding claim 10, Nachenberg teaches a computer data signal embodied in a 
transmission medium which embodies a program of instructions executable by a 
computer for detecting a computer virus that attempts to gain access to restricted 
computer system resources, comprising: 

a first segment including emulation code to emulate computer executable code in 
a subject file (col.6 lines 45-48); and 

a second segment including monitor code to monitor emulation of the computer 
executable code and monitoring a memory state of the computer system for 
modifications caused by the emulated instructions in the computer executable code 
(col.6 line 54 thru col.7 line 8; col, 12 line 64 thru col. 13 line 10); and 

a third segment including detector code to detect an attempt by the emulated 
code to access one or more of the restricted computer system resources (coL9 lines 19- 
23; col. 11 lines 3-22). 

Claim 11 is an apparatus claim that is substantially equivalent to computer data 
signal claim 10, therefore claim 1 1 is rejected for the same reasons. 

Regarding claim 12, Nachenberg teaches the monitor component monitors 
system memory (col.4 lines 25-29). 
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Regarding claim 13, Nachenberg teaches the detector component detects 
installation of a new exception handler (coL9 lines 19-23; col.1 1 lines 3-22). 

Regarding claim 14, Nachenberg teaches after the detector component detects 
installation of a new exception handler, the detector component monitors code 
execution to detect forcing of a corresponding exception (col.1 1 lines 3-22; col. 12 lines 
20-30). 

Regarding claim 15, Nachenberg teaches the detector component detects writing 
of a new pointer to at least one predetermined address in system memory for storing an 
exception handler pointer (col. 3 lines 54-59; col.1 1 lines 3-22; col. 12 line 64 thru col. 13 
line 10). 

Regarding claim 16, Nachenberg teaches the detector component detects 
installation of a new interrupt handler (col. 3 lines 37-46; col.4 lines 24-31 ). 

Regarding claim 17, Nachenberg teaches after the detector component detects 
installation of a new interrupt handler, the detector component monitors code execution 
to detect forcing of a corresponding interrupt (col. 3 lines 37-46; col.4 lines 24-31 ; col. 9 
lines 24-32; col.1 1 lines 23-28). 
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Regarding claim 18, Nachenberg teaches the detector component detects writing 
of a new pointer to at least one predetermined address in system memory for storing an 
interrupt handler pointer (coL9 lines 24-32; col.1 1 lines 23-28). 

Regarding claim 19, Nachenberg teaches the monitor component detects use of 
^ a predetermined instruction to retrieve an address in system memory corresponding to 
an interrupt descriptor table (col.9 lines 24-32; coL1 1 lines 23-28), 

Conclusion 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Tremayne M. Norris whose telephone number is (571 ) 
272-3874. The examiner can normally be reached on M-F 7:30AM-5:00PM alternate 
Fridays. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Andrew Caldwell can be reached on (571) 272-3868. The fax phone 
number for the organization where this application or proceeding is assigned is 703- 
872-9306. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 



Tremayne Norris 



October 29, 2004 




